back to article Researcher hacks aircraft controls with Android smartphone

A presentation at the Hack In The Box security summit in Amsterdam has demonstrated that it's possible to take control of aircraft flight systems and communications using an Android smartphone and some specialized attack code. Hugo Teso, a security researcher at N.Runs and a commercial airline pilot, spent three years …

COMMENTS

This topic is closed for new posts.
  1. Don Jefe
    Meh

    Knew It Was Coming

    This sort of thing has been discussed in military confrences in the past but considered low risk mainly because:

    A) It was assumed that technology to interfere/control civilian aircraft systems could not be obtained by civilians.

    B) State entities that could exploit civilian aircraft systems vulnerabilities would not because they are civilian aircraft and not considered military targets.

    Guess that's all out the window now.

    1. Robert Helpmann?? Silver badge
      Childcatcher

      Re: Knew It Was Coming

      To paraphrase T. H. White, if it is not completely bulletproof, it will be exploited. Just because I cannot think of a reason that someone might want to exploit a particular flaw does not mean that someone else will not come up with one, even if it amounts to sheer bloodymindedness. To take the given reasons apart

      A) Where there is money, there is a way.

      B) Because no state entity has ever gone after non-military targets or used civilian tech to go after the same?

      C) Left off: non-state actors. There may be a few of these out there.

    2. Anonymous Coward
      Devil

      Re: Knew It Was Coming

      I'd love to be in a plane where this was done...

      With a back door, a parachute and plenty of altitude....

      Just in case.... or as a matter of course.

      Don't fancy a lap-top landing.

      1. LinkOfHyrule
        Coffee/keyboard

        Re: lap-top landing

        hahaha!

        But then again, I bet it happens all the time with Predator Drones!

      2. pepper
        Thumb Up

        Re: Knew It Was Coming

        Jetliners are notoriously bad to jump out. What you would need is a old 727 with the staircase in the tail. I believe a hijacker once used that to escape said plane.

        1. ElNumbre
          Thumb Up

          Re: Knew It Was Coming

          @Pepper - See 'D.B Cooper'.

          Also that Channel 4 programme a few months ago where they intentionally crashed a 727 a) for TV ratings and b) sheets and giggles. Oh, and some science too.

        2. Jerren
          Boffin

          Re: Knew It Was Coming

          @ Pepper Your referring to the infamous DB Cooper case and several others who tried to copy his escape, and while some of the money was found I believe the case is still open and there is some speculation around if he survived the experience. The 727's now have a interlock called the cooper vane to prevent the rear stair from opening if the plane is not on the ground wheels down specifically to prevent this from happening again.

      3. garbo
        Boffin

        Re: Knew It Was Coming

        "With a back door, a parachute and plenty of altitude...." Really?

        At 33,000 ft (10,000m), the usual airliner cruising height, the temperature is around -50 C! If you didn't suffocate from hypoxia you'd freeze before you hit the ground. Stick to buses.

    3. Whitter
      Joke

      Re: Knew It Was Coming

      Wasn't it obvious when they put an "airplane mode" into your phone?

      I just never knew what it was really for.

      Who needs MS flight sim now!

    4. mark 63 Silver badge
      FAIL

      Re: Knew It Was Coming

      "A) It was assumed that technology to interfere/control civilian aircraft systems could not be obtained by civilians."

      what? a smartphone?

      Captain crunch interfered with the Telephone system by whistling at it!

    5. John Smith 19 Gold badge
      Unhappy

      Re: Knew It Was Coming

      "This sort of thing has been discussed in military confrences in the past but considered low risk mainly because:

      A) It was assumed that technology to interfere/control civilian aircraft systems could not be obtained by civilians.

      B) State entities that could exploit civilian aircraft systems vulnerabilities would not because they are civilian aircraft and not considered military targets."

      So the first, last and onlylime of defense has turned out to be the assumption that "smart people who want to do this cannot get hold of the tech to do so"

      Remember the video feeds from drones in Afghanistan which also were thought "secure" because a) They can't do this and b) What use would insurgents have with seen themselves? Answer by seeing what you see they can know where you are not looking.

  2. CaNsA
    Meh

    kinda fittng...

    http://i.imgur.com/Z6008g0.jpg

    1. Anonymous Coward
      Pint

      Re: kinda fittng...

      Thanks! I've been looking for that one for years :)

  3. Notas Badoff
    Megaphone

    Sky's the limit

    I'm afraid this hits my limit on public disclosure and it is plain irresponsible to do this. Always assume there are people out there much cleverer than you are. This jerk's work of 3 years might just be reproducible in 3 weeks by someone else. Once realizing that small fact he'll be rather sleepless too. Nothing like having your name publicly associated with "how could that disaster happen?" Ahh, fame at last.

    "The hacked aircraft could even be controlled using a smartphone's accelerometer to vary its course and speed by moving the handset about."

    Assuming the handset would need to be in proximity to said aircraft, as in inside, this would be the classic mad scientist's belated education in unintended consequences, as having moved the handset and induced a reaction, the reaction would induce a further reaction in the now flailing handset, culminating in the now doomed passengers telling said sad sack "we could have told you that would happen - don't you ever watch movies?"

    1. Destroy All Monsters Silver badge
      FAIL

      Re: Sky's the limit

      "Always assume there are people out there much cleverer than you are."

      I think you just invalidated your own argument. You are none too clever.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sky's the limit

        my independent non-governmental lab did similar private security research and submitted the draft report to the security authorities. The security authorities gave me a short interview (with coffee) in 2008.

        Fast forward 5 years.....and Nothing in the way of security/authentication/verification/repudiation technology has yet seemed to change - with the orchestrated industry/regulatory momentum favoring upgrading SSR to an unencrypted unauthenticated megabit/sec data link as part of the interesting NextGen push. This can now be played with using an eleven dollar (US$11) software defined DVB-T receiver dongle (http://www.reddit.com/r/RTLSDR/comments/s6ddo/rtlsdr_compatibility_list_v2_work_in_progress/)

        many researchers have independently discovered these vulns. Shirley something should be done?

        1. Robin 1

          Re: Sky's the limit

          I think we all agree that something should be done. Very typical for this sort of thing to be ignored.

          And, don't call me Shirley.

      2. Anonymous Coward
        Headmaster

        Re: Sky's the limit

        "Always assume there are people out there much cleverer than you are."

        I think you just invalidated your own argument. You are none too clever.

        Well, then he validated his argument.

    2. VinceH

      Re: Sky's the limit

      "we could have told you that would happen - don't you ever watch movies?"

      I probably will do when it comes out. Someone's probably drafting up a script based around the idea even as we speak.

    3. Chris007
      FAIL

      Re: Sky's the limit @Notas Badoff

      "Always assume there are people out there much cleverer than you are"

      And in your case it should read "Always assume that all people out there much cleverer than me"

    4. Anonymous Coward
      Anonymous Coward

      Re: Sky's the limit

      > I'm afraid this hits my limit on public disclosure and it is plain irresponsible to do this.

      Well as the AC says

      > y independent non-governmental lab did similar private security research and submitted the draft report ... Fast forward 5 years.....and Nothing....

      Sometimes being responsible just means that nothing gets done.

      I remember many years back working in support for a big company. I customer reported a security vulnerability to me. I confirmed it and fed it back to the developers. Their management said, we're half way through cutting tapes for the next release its too expensive to fix now, it can wait for the next release after that.

      One of my friends hit the roof when he read this response.

      So he went onto the internal forum and posted something along the lines of

      "Hey guys try this

      type .....

      Then .....

      count to 5

      now do ....

      and ....

      now see who you are

      have a nice day!"

      The shit hit the fan

      Our manger stormed round to see what the F*&^ we'd done

      We explained

      Our manger said, "OK, that's now my shit" and went on the war path.

      Two days later the company had procedures in place to handle urgent security cockups.

      There are times when you scream till you're blue in the face and get nowhere

      And if you really want things to happen you just have to put your balls on the chopping block and make a big enough scene no one can brush it under the carpet.

      Hats off to guys with bigger balls than I had.

      1. MacGyver

        Re: Sky's the limit

        AC 9:28, not every company doesn't listen, some do, just no one ever hears about it.

        I started working for Gateway as a service tech back in 2000, and my first day on the job my co-worker was showing me their awesome program that the company was bundling with all their computers called "Cybermedia First Aid 98". He was showing me how it could "show" customers how to install things like printers or remove programs, and by show I mean take control of the mouse and use it as a person to interact with objects on the screen. I was like, "Cool, I wonder what else it can do and how it works." So I figured out how to use it to control and open everything, then I wondered how much security it had in it because it was using web-page based help documents (I thought, it has to check that the webpage is local), so I wrote a "Format the A: drive" web-page, and uploaded it to a Geocities site I had, and sure enough, the instant I viewed the webpage with the embedded commands, my mouse pointer was off clicking and right clicking. I sent an email to my district manager detailing what I had done, and a link to the Geocities site with the now more benign "Install a printer webpage", I never heard anything back, ever. But 3 weeks later I noticed that we stopped bundling that First Aid software with every new computer. They had been installing it on EVERY computer they had made for the past 3 years. No one ever thought to question how their magic little program was taking control of the mouse, except the new guy. They never even thanked me, can you image if CNN had gotten a hold of that story? "Every Gateway computer can be hijacked by visiting webpages." I never told anyone until now, I figure 13 years is long enough.

    5. Loyal Commenter Silver badge

      Re: Sky's the limit

      This jerk's work of 3 years might just be reproducible in 3 weeks by someone else.

      Sigh.

      Repeat after me;

      Security by obscurity is no security.

      What this 'jerk' has done is to demonstrate that the systems that are in place have been built without proper consideration to security, which should have been built into it from the start. If your PC can securely communicate with your bank over the public internet using SSL, then there is absolutely no reason the communications between an aeroplane and a ground control station cannot be encrypted and authenticated in exactly the same way.

      The fact that they haven't shows that the system has either:

      a) been deliberately designed this way so that the information being broadcast CAN be eavesdropped and/or overridden (possibly at the behest of governments/military),

      b) been designed in a hurry without any thought about security, or

      c) designed by a committee of idiots with no knowledge of basic security principles.

      I'm cynical enough to consider any or all of these a strong possibility.

    6. DJ Particle

      Re: Sky's the limit

      "Assuming the handset would need to be in proximity to said aircraft"

      I read nothing that said the handset had to be in the aircraft. It looks like this is being done over the internet. Banning devices on the plane would do nothing to stop this if it gets in the field.

      1. Anonymous Coward
        Holmes

        In the plane... In the field...

  4. Wallyb132
    Black Helicopters

    There goes the use of in-flight devices....

    1. Bod

      RE: There goes the use of in-flight devices....

      Not just having to turn off your phone or stick them in flight mode, they'll be confiscated entirely or have to go in the hold luggage where they'll never be seen again when they go through Thiefrow and the like. Even then in the hold they could be programmed to wake up and attack the plane in flight.

      Faraday cage in the cabin perhaps.

      1. JDX Gold badge

        Re: RE: There goes the use of in-flight devices....

        And just as they were starting to see sense and I would've been able to use my Kindle during take-off..

        1. John Robson Silver badge
          WTF?

          Re: RE: There goes the use of in-flight devices....

          I always use my kindle during take off, and landing.

          Most of the time it's an idle device - when I hit a physical button it reads a little data from memory and pushes it to the e-ink screen.

          I'm normally somewhat distracted at the moment of take off (into the clouds at any rate) and from the clouds to touchdown, since I enjoy looking out of the windows - but I've never had a flight attendant say anything to me about the kindle...

    2. Richard Scratcher
      Unhappy

      We won't even be allowed to play snakes on a plane.

  5. Destroy All Monsters Silver badge
    Holmes

    Now I know how these russian dudes managed to crash an airliner in Die Hard II by just moving the ground's representation on a CRT.

    No wait, planes weren't as computerized back then...

    Anyway, this all seems rather far-fetched and complicated to pull off when it's easier to blow up a 4x4 at a mall.

    1. Rukario
      Paris Hilton

      Blow up a 4x4?

      And I'll huff, and I'll puff

      And I'll bloooooowwwww your mall down

      <- I'm sure she's been adequately blown.

      1. Tom 35

        Re: Blow up a 4x4?

        You will just burn your lips on the tail pipe.

    2. ReggiePerrin
      Coat

      Die Hard

      They were americans not russians...

      1. Aqua Marina

        Re: Die Hard

        Had this been an article about Die Hard 6.0 where terrorists take over a plane using an iPad, I have no doubt a lot of critical commentards will have been droning on how this could never happen, and surely aeroplane systems will have been thoroughly tested and segrated and anyone suggesting otherwise, well is plainly stupid. A bit like they did with the GCHQ screw ups :p

        1. Mikey
          Joke

          Re: Die Hard

          Well, to be fair, it CAN'T happen with an iPad. You barely get access to the bloody thing itself, let alone any other devices it could connect to. Plus of course, we'd have to wait for Apple to release drivers for the plane you happen to be in, and that could take months.

          Unless you jailbreak it, which is what you'll be needing to do yourself when the nice men with tasers appear after the unscheduled emergency landing...

    3. Anonymous Coward
      Anonymous Coward

      Die Hard II

      Actually planes were computerised back then with sophisticated autopilot systems. The system the American terrorists used to crash the plane was ILS (Instrument Landing System) which guides a plane down to the runway and is based on land. Commercial aircraft have been able to land themselves since the seventies (Autoland was introduced on the Hawker Siddeley Trident) using ILS. All commercial pilots use ILS as a guidance when landing to ensure they are on the correct glide path and heading for the runway.

      The ILS Glide Path antennas transmit 2 signals one 0.7 degrees above the glide slope and one 0.7 below, with the glide slope of about 3 degrees.

      Still, hacking ILS to readjust sea level is a bit far fetched and to achieve their goal they would need to change the defined glide slope (not sure how easy that would be), and there are also the inner, middle and outer beacons which are defined for the approach, giving altitudes required if on an ILS approach, so the pilots can confirm if they are on the correct glide path.

      So it is possibly doable (even then), but requires a lot more work than in Die Hard.

      1. Stacy
        Joke

        Re: Die Hard II

        You mean that wasn't real! And you can't do it by pulling a line down a screen!

        My world has just been torn apart

        :''(

      2. Mike Pellatt
        Childcatcher

        Re: Die Hard II

        All they needed to do was give out an incorrect atmospheric pressure for the location.

        Rememberer a documentary on a company that flew cargo (mostly) for the oil exploration - Lion Air. Pilot coming into land at a Nigerian field - pointed ouit the wreckage at the side of the runway where the tower had given out incorrect pressure, pilot thought he as a few metres above the runway when he, errr, wasn't. Bang,

  6. dssf

    Well, to be fair to the researcher...

    Well, to be fair to the researcher, the article did state that authorities were apprised before the conference.

    This is just yet another example of the airlines and the FAA to some extent putting profit or budgets above safety and security. Until and unless researchers do what that one did, the flying public is safe only as long as the security holes are not exploited.

    As for the pilot being able to manually regain control, that all depends on whether the in-flight or on-ground manipulator did not in advance figure out how to command the circuits to short out or overrun equipment into an overheat and shutdown mode just prior to commanding a fatal dive or stall-inducing climb.

    1. John G Imrie

      Pilot can regain controll

      Fly by wire anyone?

      1. Smallbrainfield
        Alert

        Re: Pilot can regain controll

        If the hacker can control what the cockpit display is showing, how does a pilot know he isn't flying in the wrong direction?

        This assumes the pilot knows his aircraft has been hacked. I suppose he could navigate by the sun / stars, but if the hacker was smart he could put the heading out by a few degrees and you'd soon be way off course..

        1. pepper

          Re: Pilot can regain controll

          Many planes still have a good old 'analogue' instrument backup. Offcourse a ILS approach might become difficult nor is VFR plausible under all conditions. So control is to be taken with a grain of salt I suppose.

        2. Ken Hagan Gold badge

          Re: Pilot can regain controll

          You probably don't need *much* of a deviation in some parts of the world to send a plane into restricted airspace, at which point someone else will do the shooting down bit.

          1. John Smith 19 Gold badge
            Unhappy

            Re: Pilot can regain controll

            "You probably don't need *much* of a deviation in some parts of the world to send a plane into restricted airspace, at which point someone else will do the shooting down bit."

            How about a tricky landing somewhere the airport is inside a mountain range, a slight deviation off line (and the pilots trusting the computer) and before you know it.....

            Of course that could never happen IRL.

      2. ThreadGuy

        Re: Pilot can regain controll

        Fly by wireless

    2. JimC

      Re: As for the pilot being able to manually regain control

      It also depends on the pilot being able to maintain situational awareness if his instruments aren't telling him what he expects, and not, for example, continuing to pull the nose up when the plane is in a stall.

  7. Christian Berger

    Wouldn't it be reasonable to have some sort of security?

    I mean like having strictly separated networks? I mean those systems probably don't run Windows so you don't need to connect them to the Internet for updates.

    1. Crisp

      Re: Wouldn't it be reasonable to have some sort of security?

      You'd think.

      Security from the start. It applies to engineers as well as developers!

    2. Anonymous Coward
      Anonymous Coward

      Re: Wouldn't it be reasonable to have some sort of security?

      You need to connect the aircraft to the Internet so it can download the latest in-flight entertainment content. Too many separate segregated networks cost too much money. Put it all on one network, use WiFi to connect to the ground for updates while on station at the airport, job done dirt cheap. What could possibly go wrong?

    3. This post has been deleted by its author

    4. Onid
      FAIL

      Re: Wouldn't it be reasonable to have some sort of security?

      don't run windows ya say???

      check this picture of an airbus A380

      http://www.airliners.net/photo/0957790/L/

      what's behind each of the joysticks?? a screen with ARGGGHHH we're gonna die - windows...

      1. Dave Oldham
        Happy

        Re: Wouldn't it be reasonable to have some sort of security?

        I wonder if the pilot gets bored he could just load up a copy of Microsoft® Flight Simulator X to pass the time away.

      2. Anonymous Coward
        Anonymous Coward

        Re: Wouldn't it be reasonable to have some sort of security?

        This screen is mainly used for the OANS (navigation help for circulation on the surface of the airports) and those equipment are not a critical part of the CDS (The actual useful IHM). The OANS only retrieve the position information, nothing more.

        However, this software is NOT windows-based (The OS is a derivative of the same software used in the display units and HUDs) and I don't really knows where this "Windows" screen comes from.

        Probably a completely separate computer sharing only the screen component.

        AC because I'm supposed to work on A380 L6.0 SW...

        1. Anonymous Coward
          Anonymous Coward

          Re: Wouldn't it be reasonable to have some sort of security?

          « I don't really knows where this "Windows" screen comes from.

          Probably a completely separate computer sharing only the screen component. »

          Note the aircraft reg (F-WWOW). This is a temporary registration for aircraft with a restricted airworthiness certificate, typically used (notably by EADS) for prototypes, and for ferry flights.

          What I'm getting at, looks like you may be right on the "separate computer" hypothesis. Maybe someone's laptop wired up to the monitor?

      3. Anonymous Coward
        Thumb Up

        Re: Wouldn't it be reasonable to have some sort of security?

        > check this picture of an airbus A380

        Wonder what the fire button on the joystick does: missiles or cannon?

  8. Neoc

    Take your pick

    Which option do you think the various safety administrations will take:

    (a) Actually harden the software and hardware on aircrafts so that the messages might still be read but not interfered with; or

    (b) get the TSA to ban smartphones and tablets (and computers?), causing massive disruptions to the public but not actually addressing the problem?

  9. Gunda

    So if I think my pilot is not doing a good enough job, I can take over and fly it with my phone to show the bugger how it is done! I am sure that like pilots were given ipads for aircraft manuals instead of books, they will soon get smartphones for controls instead of a cockpit, where premium seats set up for rich aviation fans

    1. Rukario
      FAIL

      iPad cannot connect...

      iCloud is down for emergency maintenance...

      you are going down.

  10. Neil Barnes Silver badge

    Hi! I'm Clippy!

    Looks like you're trying to control a plane! Well done!

    Would you like to go to:

    [a] Cuba?

    [b]...

  11. Cliff

    If the Daily Mail cover this story...

    ...this guy will be strung from a lamppost. The messenger is always easier to kill than the message to digest.

    1. g e
      Holmes

      Re: If the Daily Mail cover this story...

      If the DM cover it the headline will be

      TERRORISTS TAKE OVER PLANE WITH AN IPAD

      Despite (a) it not having happened (b) it only being the newest proof of concept right now and (c) you can't do it with an ipad

      The really scary part is DM readers won't question it - that's why they read the DM in the first place, to be told what to think, to save the effort of having to do it for themselves.

      1. TipsyTigger
        Facepalm

        Re: If the Daily Mail cover this story...

        Never mind the DM, how about the BBC?!

        http://www.bbc.co.uk/news/technology-22107433

      2. Field Marshal Von Krakenfart
        Facepalm

        Re: If the Daily Mail cover this story...

        If that ever happens the authorities response will be.......

        . . . . . . . . . . to ban <insert name of device here>

  12. Anonymous Coward
    Anonymous Coward

    Oh no...

    Coming to an App store near you soon...

  13. Anonymous Coward
    Anonymous Coward

    Palm Pilot?

    Nuff said...

  14. Scott Broukell
    Coat

    No, it's not really a joking matter ....

    ... but will peeps become scada flying.

    1. Naughtyhorse

      Re: No, it's not really a joking matter ....

      Oh Noes!!!1!

      if ppl scada flying we'll al be stux

  15. Filippo

    Special equipment?

    I don't think these systems connect through wi-fi or bluetooth, so surely some special equipment is required in order to implement this hack?

    1. Khaptain Silver badge

      Re: Special equipment?

      Radio signals apparently

      1. JeffyPooh
        Pint

        Re: Special equipment?

        "Radio signals"

        Yep, the Google Nexus 4 actually contains a complete ACARS transceiver that can be enabled by rooting the phone and setting one bit thusly: ACARS = On.

        Strange but true...

  16. Parax
    Boffin

    Nope!

    "The hacked aircraft could even be controlled using a smartphone's accelerometer to vary its course and speed by moving the handset about."

    Feedback loop, It'll only end one way.

    1. Destroy All Monsters Silver badge
      Trollface

      Re: Nope!

      The funny thing about feedback loops is that it can end at least two ways.

    2. Mephistro Silver badge
      Unhappy

      Re: Nope!

      "Feedback loop, It'll only end one way."

      Not necessarily. There are several ways to interrupt this particular feedback loop. One would be using a GPS receiver included in the smartphone, other would be to stop the signal when a certain, fixed amount of course change had happened, or after a fixed amount of time.

      Nevertheless, it might well be the case that the terrorists wouldn't be too interested in preventing the plane from crashing. Just sayin'.

  17. Stretch
    FAIL

    "the Federal Aviation Administration and the European Aviation Safety Administration have both been informed and are working on fixing the issue"

    Oh yeah good luck patching that.

    1. R Soles

      it's going to take some time ...

      According to the CIA Factbook, as of 2010 there were 43 983 airports worldwide (of all types). Mr Google claims that 836 of these are international.

      According to various manufacturer information, there were worldwide in 2005

      312,000 Active General Aviation Aircraft

      17,770 Passenger Aircraft

      89,129 Military Aircraft

      26,500 Civil Helicopters

      29,700 Military Helicopters.

      http://answers.google.com/answers/threadview/id/584144.html

  18. James 51
    Black Helicopters

    I am surprised that they didn't just chuck him in prison to shut him up.

  19. trashbat
    Thumb Down

    Platform of Doom

    You'd not have any of this on Lovely iPhone, would you? On Lovely iPhone you would have a lovely picture of a plane flying along all wonderfully and everything would be great.

    1. trashbat
      Thumb Down

      Re: Platform of Doom

      Steve Jobs PBUH once said to me, 'Trashbat my love, I'm dying now, but if I could leave just one gift to this world, it's that my overly restrictive platform limitations will one day prevent the exploitation of vulnerabilities in the Aircraft Communications Addressing and Reporting System', and then - alas - he did die, but he was wrong wasn't he, because of horrible Android, Android, weeing on his grave.

  20. Morphius
    Black Helicopters

    BOFH predates this...

    A few years back BOFH redirected his conference flight from it's boring destination to one with many more cocktails.

    Makes me wonder when the security robots are going to appear around here *prepares the pickaxe*

  21. Robin Bradshaw
    Boffin

    Not the only one wondering

    Not quite the same but someone gave a talk at defcon 20 about the possibility of feeding data out of an x-plane simulation into gunradio to broadcast x-plane generated ADS-B into the real world, the flipside of feeding real world ADS-B into x-plane so you can virtually fly with real world planes did intrigue me thought, that could be fun.

    http://www.youtube.com/watch?v=CXv1j3GbgLk

  22. poohbear

    Mmm a while back Iran brought down a drone remotely .... sounds like they used a similar approach.

  23. ollieclark
    FAIL

    So what do we think the authorities will do?

    a) Fix or install security in the flight systems.

    b) Ban all electronic devices from flights.

    c) Nothing. It hasn't happened yet so there's no reason to believe it ever will.

    My money's on c) until it does happens and then b).

    1. Silverburn

      Only snag with this, was - as I understood it - it could be ground-based as well, since the link has two end points.

      So banning of all electronic devices within a 5 miles radius of the airport is the sort of proposterous outcome I would expect.

      1. JeffyPooh
        Pint

        "...banning of all electronic devices within a 5 miles radius of the airport..."

        An array of Yagi antenna could reach vastly further than 5 miles.

        Better ban all electronic devices - period.

    2. DJ Particle

      Doing (b) won't do anything... the hack uses the internet. Don't need to be on the plane to attack it.

  24. Joe Harrison

    ADS-B is really good

    Although it's a one-way broadcast from the plane so I don't completely see the security implications apart from the possibility of somehow spoofing the aircraft location with a stronger signal.

    For real-world ADS-B fun try

    www.flightradar24.com

    1. Naughtyhorse

      Re: ADS-B is really good

      nice!

      AQ's app of the year :-)

    2. GavinC

      Re: ADS-B is really good

      Yes, i don't understand the ADS-B based hack - as you say it is one way from the aircraft to base stations, and is then used by ATC to plot the location of the aircraft (backed up by radar as well I believe), so the only hack here would be to make ATC think the plane is somewhere other than where it actually is (although this could cause major problems).

      The other hack mentions using ACARS, which is a two way communication protocol, used mainly for transmitting messages between aircraft and head office/operations departments. As these messages pass through the FMC (Flight Management Computer), I guess a buffer overflow or similar could be used to take control of the FMC, allowing you to manipulate the flight plan of the aircraft, or perhaps override the GPS data to redirect the aircraft.

      1. Anonymous Coward
        Anonymous Coward

        Re: ADS-B is really good

        « Yes, i don't understand the ADS-B based hack »

        Much of the information you will need to build the "malicious" ACARS message is broadcast by the aircraft over ADS-B.

        « I guess a buffer overflow or similar could be used to take control of the FMC »

        No. Data can be fed directly to the FMC via ACARS by design. It's kind of the whole point of ACARS. :)

  25. Dave 62
    Pint

    I'm still not seeing whether the aircraft can actually be controlled *remotely* by a phone, this is not at any point stated, is this like the old academia trick of omitting some piece of information so that uneducated readers will assume you have made some huge breakthrough?

    Like "OMG CLOAKING" (of a single molecule at microwave frequencies)

    or "QUANTUM TELEPORTING!!11" (only not really)

    So.. does it actually need to be plugged into the aircraft in some way? Because if so, less scary, if not, scary.

    1. Silverburn

      From what I read, full control needs local access and thus out of scope, whereas hacking the autopilot only needs piggybacking of ACARS. Given how prevant autopilot is used in flight these days, it's not insignicant.

  26. Anonymous Coward
    Anonymous Coward

    knee-jerk reaction

    I know what's coming int wake of this. And what' gonna stay with us for the next 50 years. No, not hack-proofed or shielded airplane controls, nosir, this would be too... rational. We, the humans, prefer "would please all passangers switch off all their electronic devices for the duration of the flight, including those with a "airplane mode". Thank you for your cooperation".

  27. Anonymous Coward
    Facepalm

    Oh dear.

    "This has no security at all, he found"

    Can it be called a hack then? I agree it's wrong to hack. But I am more concerned about the lack of security. As I can do little to prevent people from stealing or causing trouble, but I can do my best to protect myself (and hopefully others) from such things. So the priority should really be in upping the security of the connection, then possibly blocking mobile/radio transmission from the cabin (not to mention airport).

  28. hugo tyson
    FAIL

    Does this need a special transmitter?

    The article doesn't make clear whether you need to build a special peripheral transmitter for your phone to be able to send the bogus messages. That's quite important don't we think? Looks like you do, from the (truly groovy) presentation - not clear if the software-controlled radios in your WiFi/BlueTooth/FM chip in the phone can be hacked to transmit the trick packets.

    That there are code-injection flaws and no authentication for all this stuff is of course unsurprising, sadly.

    Same's true of AIS whereby ships report their position, speed, cargo, size &c &c to ground stations. I don't think the coastguard (analog of ATC functions) can automagically redirect a ship, but fake AIS transmissions suggesting unauthorised tankers speeding up the Thames could be a cover for a more serious attack somehow, as well as just disruptive in itself.

    1. Frankee Llonnygog

      Re: Does this need a special transmitter?

      Of course you do, So, while the fact that he's using an Android phone as a computer is attention grabbing, it isn't quite as simple as turning on WiFi. In fact, you'd be more likely to choose something a bit more reliable like a laptop and put it into a piece of checked in luggage - obviating the need to actually board the plane you intend to crash.

      1. GavinC

        Re: Does this need a special transmitter?

        the attack mentioned is ground based - i.e you do not need to be onboard the aircraft.

        Aircraft use a protocol called ACARS to transmit messages between them and operations / head office. They are broadcast over FM radio at 131.55 Mhz, and can be picked up by a typical airband scanner (they are digital, so all you will hear is a series of bleeps), tie that up to a laptop running freely available software and you can read the messages being sent.

        The attack involves broadcasting messages back to the plane, so you would need an FM transmitter capable of broadcasting on 131.55 Mhz. It would then be a case of using typical h4x0r methods, such as buffer overflows to exploit weaknesses and inject code into the system.

        1. JeffyPooh
          Pint

          Re: Does this need a special transmitter?

          GavinC: "ACARS ... broadcast over FM radio at 131.55 MHz"

          Wiki ACARS: "...using existing VHF [aircraft] radios..."

          That'd be AM then. Aircraft are still using AM for various reasons.

        2. Anonymous Coward
          Anonymous Coward

          @GavinC [Re: Does this need a special transmitter?]

          YEEEESSSSSSSS!!!!!!!!!!!!!!!!!

          SOMEONE'S GOT IT!!!! GOD I'M SO EXCITED!!!!!

          :)

          Sorry about the outburst, but yes, in a nutshell that's it. It says as much in the article even though the hack who wrote it clearly had no idea about the technology concerned. There is also the link to the bloke's presentation, which explains it a bit better (it does not go into any detail, but there is no need for it either if you're vaguely knowledgeable in this area).

  29. TomChaton
    Unhappy

    Christ! :(

    Title says it all.

  30. ecofeco Silver badge
    Facepalm

    Idiocrary

    Yer livin' in it.

  31. Lamont Cranston

    It's called SIMON,

    and it can reset a plane's navigation coordinates? That's Die Hard 2 and 3 covered, then. Does it "schieß dem Fenster", for the hat-trick?

    1. JeffyPooh
      Pint

      Re: It's called SIMON,

      In 'Die Hard', everyone was on the same channel. Police. Fire. Aircraft. Even the CB'ers. Everyone was fully interoperable without respect to channel frequency nor modulation mode. The DoD was impressed. They could've used this technology during the invasion of Grenada.

  32. ma1010
    Trollface

    This is nothing new. The BOFH did this years ago.

    http://tigay.net/rafi/bofh/1998/bofh_1998_024_152.php

  33. Anonymous Coward
    Anonymous Coward

    This should make a point

    One more very good reason to not allow electronic toys to be used in-flight.

    1. Intractable Potsherd Silver badge

      Re: This should make a point

      What are the others? I've not seen one yet.

  34. JeffyPooh
    Pint

    He found - LOL

    "...Automatic Dependent Surveillance-Broadcast (ADS-B) system ...has no security at all, he found..."

    Really??!!?? Say it isn't so!!

    D-oh! That explains all those ADS-B dongles being sold on the Interweb, and all the aircraft 'radar' apps that rely on 5-minute delayed FAA data and real time crowd-sourced ADS-B data. Wow - this explains it all. I wonder if anyone else knew this before this researcher found out this amazing tidbit. Like, for example, the perhaps-Chinese vendor that designed, built and sold him the ADS-B dongle that he undoubtedly used.

    1. Anonymous Coward
      Anonymous Coward

      Re: He found - LOL

      Jeffy, I think the journo who wrote the piece is to blame for that bit of extrapolation.

      I assume Mr. Teso knew full well ADS-B is not encrypted, as neither is ACARS or any of the other radio data links we use in civil aviation.

      Those of us involved in civil aviation (like Mr. Teso, I am also a commercial pilot) have known all this all along, but what Mr. Teso did which is interesting is that he built a (presumably) working proof of concept.

      His is a nice PR coup and it might perhaps have an impact in systems design, especially on the CHI (Computer Human Interaction) side of things. On the other hand he did not *discover* anything as such, neither does he claim to have, to my knowledge. Without getting into details (only because I do not have the details fresh in my memory and neither have any references handy), for this kind of "exploit" to cause any real problems you would also need a clever bit of social engineering to go with it, since at least two humans in the cockpit are part of the loop, plus usually a bunch more of them in the ground and in other cockpits around you.

      In other words, the system when considered as a whole rather than looking at its parts in isolation, is fairly resilient to intentional or unintentional data corruption.

      And BTW, phones have nothing to do with any of this. He just used them, instead of any other computer, for PR effect.

  35. Reg. Blank
    Facepalm

    It's worse than we thought

    Those incompetent fools in civil aviation don't even encrypt voice communications!!1 I mean, _anybody_ could wave an accelerometer equipped mobe around and also use an air band transciever like an icom ic-a24 bought off ebay to impersonate ATC and cause just about any radio equipped aircraft to land away from their desired destination by saying it's closed or the weather's bad. They might as well be directly manipulating the controls... as if by remote control! They even use AM mudulation just like an AM RADIO!!!! and everyone can listen to an AM radio!!! even terrierists.

    1. JeffyPooh
      Pint

      Re: It's worse than we thought

      I was about to correct "transcEIver", but then I saw "mudulation and "terrierists".

      Well done. This beer is for you.

    2. Anonymous Coward
      Anonymous Coward

      Re: It's worse than we thought

      « and everyone can listen to an AM radio!!! even terrierists. »

      I would have thought they would be busy walking their dogs.

  36. Anonymous Coward
    Anonymous Coward

    Who the hell makes an FMS that accepts ANY code via ACARS? I hope it is none of the major players, it really makes no sense that the capability would even be there. Or it is misunderstood and he can really just update flight plans and such without pilot interaction, using flaws in their system? I have my doubts about the veracity of this part of the story.

    Spoofing location data to control a plane has always been possible if you have a powerful enough transmitter, I'm surprised that no one has actually tried it before. Everyone in the industry knows about it, your system is only as good as the data it is receiving. This part is very real, although I do wonder about the feasibility in the real world.

  37. Alan Thompson
    Flame

    The next step will be to criminalize the purchase of commercial aviation parts from "non authorized" resellers by "non authorized" buyers.

    1. Idocrase

      That will REALLY upset the Mythbusters

  38. Idocrase

    It's a fake name, and they misnamed the phone.

    It was actually Tony Stark.

  39. This post has been deleted by its author

  40. Alan Firminger

    11 September 2001

    I have already posted on The Register that no civil airliner as large as a Boeing 757 hit the Pentagon.

    The rest is speculation.

    Shortly after the atrocity happened among the doubters people were asking whether an airliner could be controlled from the ground. I knew about the beacon which transmitted and received between the ground station and the a/c flight control computer, which also provided the autopilot flying through gps co-ordinates. I was shocked then, clearly a conspiracy could provide a vulnerable rom as an update. So I was wrong, every a/c is vulnerable.

    Vulnerabilities are even easier to utilise when the attacker has the code of the target system.

    In researching this well before 2003 I found several pages that proposed that to beat hijacking every airliner should be subject to an overriding control from the ground. A link from 2001 is below. I was troubled because hijacking is still a threat and ground control of the system through the existing radio channels was always possible if it was coded in.

    http://everything2.com/title/How+to+build+a+hijack-proof+airplane

    At the time a forum post reported that Lufthansa when they took a delivery of Boeing airliners refused the standard control code and wrote their own. Fly Lufthansa.

    When did Boeing system managers know that they were equipping their a/c with an OS as vulnerable as Windows ?

  41. Herby
    Joke

    Feedback?

    "The hacked aircraft could even be controlled using a smartphone's accelerometer to vary its course and speed by moving the handset about."

    Feedback loop, It'll only end one way.

    Of course, this is why LOT airlines only fills part of the plane. Everyone knows that you can't have poles in the right half of the plane, as it leads to instability of the control system.

    Sorry, I couldn't resist!

  42. John Smith 19 Gold badge
    Joke

    On the up side. *Lots* more mobiles available at *very* reasonable prices on eBay

    Courtesy of the "hard" working men and women of the Thieves Support Association.

    Hurrah!

  43. Anonymous Coward
    Anonymous Coward

    Validity?

    Yes, all very interesting, however while trying this you would generate an exception in the FMS - basically your ACARS message properly crafted may be able to influence aircraft movement - the ADS-B would be broadcasting the new position to ground, and the GPS would be indicating "true" position as an input.

    Result - autopilot disengages as one of the alternate flight modes is engaged.

    This hack ignores the redundancy of multiple inputs.

  44. AvSec Dude
    WTF?

    fud, fud, fud and more fud.

    This was a great PoC (proof of concept), but there are some important bits of information that seem to have been lost in the sensationalism of the story. They did not test the attack on a real aircraft with real aircraft systems. The system used to validate the exploit is a simulation version of the FMS code, this code is not the same as the code used in primary avionics systems and does not meet the DO-178 certification and the PC does not meet the DO-254 certification. The “full control” claim is not valid, there is no way to engage the autopilot from the FMS. Of course, when engaged in “managed mode” the A/C will follow the FMS.

    The aviation industry has known about this particular presentation for a while now.

    Other things left out of consideration are the multiple layers of the human factor that are involved in flying an airplane, such as the pilots quickly realizing something is a miss, since their printed flight plan would not match what is in the FMS. ATC would be squawking all over the place trying to determine why is the airplane deviating for its flight plan, etc.

    All in all this makes for some great headlines and talking point for bobbing heads and arm chair experts and generating more business opportunities for Hugo, but that's about all

    That being said, both ADS-B and ACARS could use some protocol strengthening up though.

  45. Boris S.

    Now we know...

    ...that the FAA was wrong again to allow electronic devices to be use on board.

  46. Anonymous Coward
    Anonymous Coward

    Remote Control

    EgyptAir Flight 990 anyone?

  47. Ex-fed
    Stop

    Thirty years later?

    This type of crime is often refered to as "Phantom Controlling". I ran a federal task force that resulted in the first and only arrest of an individual for issuing false air traffic control commands to passenger aircraft thirty years ago. The incident was briefed to the White House with several solutions to stop future occurrences. Once again, it looks like the FAA is waiting for people to die before doing their job. If you want to read about the crime, read the novel "Phantom Controller".

  48. Alan Firminger

    We need to know.

    Quite often military aircraft have to join civil traffic streams, so their systems have to be compatible.

    Does the military fly with vulnerable systems ?

    That question puts a civil servant on the spot. If the answer is no then it it another betrayal of aircrew and implies that nuclear weapons could be brought down on city centres to disintegrate; and if yes then how dare they knowingly deny civil aircraft the same security.

    1. Vic

      Re: We need to know.

      > Does the military fly with vulnerable systems ?

      That would be the wrong question, and give rise to very misleading statements.

      The proper question would be "Does the military *rely on* vulnerable systems?"

      Just because you have a vulnerable unit for compatability, it doesn't mean it's your only manner of obtaining that information...

      Vic.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020